detecting self mutating malware using control flow graph
play

Detecting Self-Mutating Malware Using Control-Flow Graph Matching - PowerPoint PPT Presentation

Feb 04, 2023 •109 likes •356 views

Detecting Self-Mutating Malware Using Control-Flow Graph Matching Danilo Bruschi Lorenzo Martignoni Mattia Monga Dipartimento di Informatica e Comunicazione Universit` a degli Studi di Milano { bruschi,martign,monga } @dico.unimi.it

  1. Detecting Self-Mutating Malware Using Control-Flow Graph Matching Danilo Bruschi Lorenzo Martignoni Mattia Monga Dipartimento di Informatica e Comunicazione Universit` a degli Studi di Milano { bruschi,martign,monga } @dico.unimi.it Conference on Detection of Intrusions and Malware & Vulnerability Assessment – 2006

  2. Outline Code Obfuscation and Self-mutation Strategies adopted to achieve self-mutation and code insertion Challenges for the detection Unveiling malicious code Code normalization Code comparison Prototype implementation Experimental results Summary and future works D. Bruschi, L. Martignoni, M. Monga Detecting Self-Mutating Malware Using Control-Flow Graph Matching DIMVA2006 2

  3. Code obfuscation and self-mutation ◮ Code obfuscation is a semantic-preserving program transformation that can be used to make a program harder to understand ◮ Self-mutation is a particular form of code obfuscation, which is performed automatically by the code on itself ◮ Self-mutation is adopted by malicious code to defeat detectors ◮ Self-mutation is applied during malicious code replication to generate completely new different instances D. Bruschi, L. Martignoni, M. Monga Detecting Self-Mutating Malware Using Control-Flow Graph Matching DIMVA2006 3

  4. Self-mutation Common transformations adopted to achieve self-mutation: ◮ Substitution of instructions ◮ Permutation of instructions ◮ Garbage insertion ◮ Substitution of variables ◮ Control flow alteration Signature matching becomes useless D. Bruschi, L. Martignoni, M. Monga Detecting Self-Mutating Malware Using Control-Flow Graph Matching DIMVA2006 4

  5. Self-mutation Common transformations adopted to achieve self-mutation: ◮ Substitution of instructions ◮ Permutation of instructions ◮ Garbage insertion ◮ Substitution of variables ◮ Control flow alteration Signature matching becomes useless D. Bruschi, L. Martignoni, M. Monga Detecting Self-Mutating Malware Using Control-Flow Graph Matching DIMVA2006 4

  6. Code insertion Common techniques adopted for malicious code insertion: ◮ Cavity insertion ◮ Jump tables manipulation ◮ Data segment expansion The malicious code is seamless integrated into the host code D. Bruschi, L. Martignoni, M. Monga Detecting Self-Mutating Malware Using Control-Flow Graph Matching DIMVA2006 5

  7. Code insertion Common techniques adopted for malicious code insertion: ◮ Cavity insertion ◮ Jump tables manipulation ◮ Data segment expansion The malicious code is seamless integrated into the host code D. Bruschi, L. Martignoni, M. Monga Detecting Self-Mutating Malware Using Control-Flow Graph Matching DIMVA2006 5

  8. Challenges for the detection Conventional detection techniques are likely to fail: ◮ Pattern matching fails since fragmentation and mutation make hard to find signature patterns ◮ Emulation would require a complete tracing of analyzed programs as the entry point of the guest is not known; moreover every execution should be traced until the malicious payload is not executed ◮ Heuristics based on ad-hoc predictable and observable alterations of executables become useless when insertion is performed producing almost no alteration of any of the static properties of the original binary Theoretical studies (Chess & White) demonstrated that perfect detection of a self-mutating malware is an undecidable problem D. Bruschi, L. Martignoni, M. Monga Detecting Self-Mutating Malware Using Control-Flow Graph Matching DIMVA2006 6

  9. Challenges for the detection Conventional detection techniques are likely to fail: ◮ Pattern matching fails since fragmentation and mutation make hard to find signature patterns ◮ Emulation would require a complete tracing of analyzed programs as the entry point of the guest is not known; moreover every execution should be traced until the malicious payload is not executed ◮ Heuristics based on ad-hoc predictable and observable alterations of executables become useless when insertion is performed producing almost no alteration of any of the static properties of the original binary Theoretical studies (Chess & White) demonstrated that perfect detection of a self-mutating malware is an undecidable problem D. Bruschi, L. Martignoni, M. Monga Detecting Self-Mutating Malware Using Control-Flow Graph Matching DIMVA2006 6

  10. Devised strategy Code interpretation and normalization ◮ Given a piece of code P which represents (or contains) an instance of a self-mutating malware we automatically revert all the mutations performed on it ◮ P is consequently reduced into a form, P N , which is pretty close to its archetype M and which can be recognized more easily Code comparison ◮ Detection is performed by looking for known abstract patterns into the transformed program P N D. Bruschi, L. Martignoni, M. Monga Detecting Self-Mutating Malware Using Control-Flow Graph Matching DIMVA2006 7

  11. Code normalization Code normalization A program is transformed into a canonical form which is simpler in term of structure or syntax while preserving the original semantic and that is more suitable for comparison ◮ Analysis of the transformations adopted to implement self-mutation and experimental observations highlighted some weakness: ◮ Transformations led to the generation of useless computations ◮ Most transformations are invertible ◮ Different instances of the same malware can be viewed as under-optimized version of the archetype; the archetype is consequently the normal form of the malicious code ◮ Code normalization can be performed adopting some of the well known techniques used by compiler to produce compact and efficient code D. Bruschi, L. Martignoni, M. Monga Detecting Self-Mutating Malware Using Control-Flow Graph Matching DIMVA2006 8

  12. Code normalization Some details ◮ Executable code is disassembled and translated into an intermediate form to explicit the semantic of each machine instruction ◮ Control-flow analysis and data-flow analysis are performed on the code to collect information that will be used by the next step ◮ Code transformations aim at: ◮ Identify all the instructions that do not contribute to the computation (dead and unreachable code elimination) ◮ Rewrite and simplify algebraic expressions in order to statically evaluate most of their sub-expressions (algebraic simplification) ◮ Propagate values computed by intermediate instructions to the appropriate use sites (expressions propagation) ◮ Analyze and try to evaluate control-flow transition conditions to identify tautologies and to rearrange the control to reduce the number of flow transitions (control-flow normalization) ◮ Analyze indirect control flow transitions to discover the smallest set of valid targets and the paths originating (indirections resolution) D. Bruschi, L. Martignoni, M. Monga Detecting Self-Mutating Malware Using Control-Flow Graph Matching DIMVA2006 9

  13. Code comparison Given the normalized program we need to answer the question: “is the program P N hosting the malware M ?” ◮ We cannot expect to find a perfect matching of M in P N even if most of the transformations have been reverted ◮ The code comparator must be able to cope with some impurities left by normalization (we observed that these impurities are always local to basic blocks) ◮ The normalized control-flow of the malware is constant D. Bruschi, L. Martignoni, M. Monga Detecting Self-Mutating Malware Using Control-Flow Graph Matching DIMVA2006 10

  14. Code comparison Some details ◮ P N is represented through its interprocedural-control flow graph (ICFG) and M through its control-flow graph ◮ The malicious code detection can be formulated as a subgraph isomorphism decision problem: “given two graphs G 1 and G 2 , is G 1 isomorphic to a subgraph of G 2 ?” ( G 1 is M and G 2 is P N ) ◮ The graphs are augmented with labels to achieve the necessary trade-off between Instruction classes precision and abstraction (to handle possible Integer arithmetic impurities) Float arithmetic Logic ◮ Instructions and flow transitions are Comparison partitioned into classes; labels describe the Function call set of classes in which instructions of a basic . . . block can be grouped D. Bruschi, L. Martignoni, M. Monga Detecting Self-Mutating Malware Using Control-Flow Graph Matching DIMVA2006 11

  15. Code comparison Some details P N ◮ P N is represented through its interprocedural-control flow graph (ICFG) M and M through its control-flow graph ◮ The malicious code detection can be formulated as a subgraph isomorphism decision problem: “given two graphs G 1 and G 2 , is G 1 isomorphic to a subgraph of G 2 ?” ( G 1 is M and G 2 is P N ) ◮ The graphs are augmented with labels to achieve the necessary trade-off between Instruction classes precision and abstraction (to handle possible Integer arithmetic impurities) Float arithmetic Logic ◮ Instructions and flow transitions are Comparison partitioned into classes; labels describe the Function call set of classes in which instructions of a basic . . . block can be grouped D. Bruschi, L. Martignoni, M. Monga Detecting Self-Mutating Malware Using Control-Flow Graph Matching DIMVA2006 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical

Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical

Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical representation of runtime control-flow paths Nodes of graph: basic blocks (straight-line computations) Edges of graph: flows of control Useful for

679 views • 39 slides
Representing the control flow of a program P3 / 2003 Control forms a graph Loop

Representing the control flow of a program P3 / 2003 Control forms a graph Loop

Representing the control flow of a program P3 / 2003 Control forms a graph Loop Optimizations A very large graph Observation lot of straight-line connections simplify the graph by grouping some instructions Kostis

535 views • 7 slides
More refined representations Control dependence graph Problem: control-flow edges in CFG

More refined representations Control dependence graph Problem: control-flow edges in CFG

More refined representations Control dependence graph Problem: control-flow edges in CFG overspecify evaluation Program dependence graph (PDG): order data dependence graph + control dependence graph (CDG) [Ferrante, Ottenstein, & Warren,

260 views • 5 slides
Representing the control flow of a program P3 / 2004 Control forms a graph Loop

Representing the control flow of a program P3 / 2004 Control forms a graph Loop

Representing the control flow of a program P3 / 2004 Control forms a graph Loop Optimizations A very large graph Observation lot of straight-line connections simplify the graph by grouping some instructions Spring 2004

223 views • 7 slides
Foundations of pred(n) = set of all immediate predecessors of n p ( ) p Dataflow Analysis

Foundations of pred(n) = set of all immediate predecessors of n p ( ) p Dataflow Analysis

Terminology: Program Representation e o ogy: og a ep ese tat o Control Flow Graph: Control Flow Graph: Nodes N statements of program Edges E flow of control Foundations of pred(n) = set of all immediate predecessors of

591 views • 17 slides
Why Data Flow Models? Models from Chapter 5 emphasized control Control flow graph, call

Why Data Flow Models? Models from Chapter 5 emphasized control Control flow graph, call

Why Data Flow Models? Models from Chapter 5 emphasized control Control flow graph, call graph, finite state machines We also need to reason about dependence Dependence and Data Flow Models Where does this value of x come from?

369 views • 9 slides
Efficient Control-Flow Subgraph Matching for Detecting Hardware Trojans in RTL Models L.

Efficient Control-Flow Subgraph Matching for Detecting Hardware Trojans in RTL Models L.

ACM/IEEE CODES + ISSS 2017, Seoul, South Korea Efficient Control-Flow Subgraph Matching for Detecting Hardware Trojans in RTL Models L. Piccolboni 1,2 , A. Menon 2 , and G. Pravadelli 2 1 Columbia University, New York, NY, USA 2 University of

840 views • 60 slides
Streamlining Control-Flow Graph Construction with DCFlow Mark Hills 7th International

Streamlining Control-Flow Graph Construction with DCFlow Mark Hills 7th International

Streamlining Control-Flow Graph Construction with DCFlow Mark Hills 7th International Conference on Software Language Engineering (SLE 2014) September 15-16, 2014 Vsters, Sweden http://www.rascal-mpl.org 1 Say you need a control flow

512 views • 29 slides
StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen Chen, Minhui Xue, Zhushou Tang, Lihua Xu, Haojin Zhu Malware Detection in Android 1.6 million apps in Google Play Store in July 2015

441 views • 22 slides
Graph IRs Control Flow Graphs + The three-address IR looks like assembly language including

Graph IRs Control Flow Graphs + The three-address IR looks like assembly language including

10/31/2012 Graph IRs Control Flow Graphs + The three-address IR looks like assembly language including control transfer Directed Acyclic Graphs instructions. Eliminate storage and calculation redundancy * Labeling or numbering IR statements

290 views • 3 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control

Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control

Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control flow graph may miss significant test cases Testing All-Paths in a control flow graph is often too time- consuming Can we select a subset of

743 views • 47 slides
Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control

Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control

Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control flow graph may miss significant test cases Testing All-Paths in a control flow graph is often too time- consuming Can we select a subset of

682 views • 24 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
Procopiou Anna 931769 Professor: Dr. Athanasopoulos Elias 1 Articles 1. Detecting Malware

Procopiou Anna 931769 Professor: Dr. Athanasopoulos Elias 1 Articles 1. Detecting Malware

Procopiou Anna 931769 Professor: Dr. Athanasopoulos Elias 1 Articles 1. Detecting Malware Domains at the Upper DNS Hierarchy -M.Antonakakis et. al 2. ZMap: Fast Internet-wide Scanning and Its Security Applications -Z. Durumeric et. al 2

1.17k views • 89 slides
Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control

Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control

Dataflow Testing Chapter 10 Dataflow Testing Testing All-Nodes and All-Edges in a control flow graph may miss significant test cases Testing All-Paths in a control flow graph is often too time- consuming Can we select a

557 views • 31 slides
More complex scoring functions Until now: Bioinformatics Algorithms match, mismatch, gap

More complex scoring functions Until now: Bioinformatics Algorithms match, mismatch, gap

More complex scoring functions Until now: Bioinformatics Algorithms match, mismatch, gap (linear gap functions) (Fundamental Algorithms, module 2) match, mismatch, gap open, gap extend (a ffi ne gap functions) i.e. f ( a , b ) depends

186 views • 4 slides
CSCE 471/871 Lecture 2: Pairwise Alignments Why should we care? How do we do it? Stephen

CSCE 471/871 Lecture 2: Pairwise Alignments Why should we care? How do we do it? Stephen

Outline What is a sequence alignment? CSCE 471/871 Lecture 2: Pairwise Alignments Why should we care? How do we do it? Stephen D. Scott Scoring matrices Algorithms for finding optimal alignments Statistically validating

141 views • 10 slides
The absolutely neutralizing coalescence theory of mutation Paul de Lacy Rutgers University

The absolutely neutralizing coalescence theory of mutation Paul de Lacy Rutgers University

The absolutely neutralizing coalescence theory of mutation Paul de Lacy Rutgers University Network on Core Mechanisms of Exponence Universitt Leipzig Friday, 8 January 2008 This talk argues that mutation is due to the coalescence of (parts

469 views • 17 slides
Longest Cycle Crossover for Solving the Capacitated Vehicle Routing Problem Depar artment ment

Longest Cycle Crossover for Solving the Capacitated Vehicle Routing Problem Depar artment ment

An Evolutionary Algorithm with Heuristic Longest Cycle Crossover for Solving the Capacitated Vehicle Routing Problem Depar artment ment of C Computer er Science ence and Information mation Engineer neering, ng, Natio ional nal T aiwan

621 views • 37 slides
CSE 331 Mutation and immutability slides created by Marty Stepp based on materials by M. Ernst,

CSE 331 Mutation and immutability slides created by Marty Stepp based on materials by M. Ernst,

CSE 331 Mutation and immutability slides created by Marty Stepp based on materials by M. Ernst, S. Reges, D. Notkin, R. Mercer, Wikipedia http://www.cs.washington.edu/331/ 1 Mutation mutation : A modification to the state of an object.

571 views • 29 slides
CS 251 Fall 2019 CS 251 Fall 2019 Topics Principles of Programming Languages Principles

CS 251 Fall 2019 CS 251 Fall 2019 Topics Principles of Programming Languages Principles

CS 251 Fall 2019 CS 251 Fall 2019 Topics Principles of Programming Languages Principles of Programming Languages Ben Wood Ben Wood Mutation is unnecessary. Immutability Immutability offers referential transparency. Mutation

564 views • 3 slides
In a world where bindings and values Immutability: obstacle or tool? are

In a world where bindings and values Immutability: obstacle or tool? are

9/22/15 In a world where bindings and values Immutability: obstacle or tool? are immutable Discuss based on: Have you noticed? Programming experience in 251 and previously Readings

328 views • 3 slides
Miscellaneous: tracking on the web (& start on malware) CS 161: Computer Security Prof.

Miscellaneous: tracking on the web (& start on malware) CS 161: Computer Security Prof.

Miscellaneous: tracking on the web (& start on malware) CS 161: Computer Security Prof. Raluca Ada Popa April 17, 2018 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh Miscellaneous

1.14k views • 83 slides

More recommend